In part 6 we installed and configured a vCenter Server Appliance in the lab. This will manage the various components, plus serve as an endpoint for vRealize Automation.
In this post we replace the default SSL certificates from the vCSA with trusted certificates from our in-house certificate authority.
Other posts in this series
- Intro
- Physical infrastructure – storage
- Physical infrastructure – networking
- Physical infrastructure – compute
- Authentication services
- Deploy and configure the vCenter Server Appliance
- Configure vCenter Server Appliance SSL certificates
- Deploy and configure the vRA Appliance
- Deploy and configure the IaaS platform
- Configure tenants
- Configure endpoint & fabric/business groups
- Configure blueprints (coming soon)
- Configure entitlements (coming soon)
- Configure policies (coming soon)
- Integration with vCloud Air (coming soon)
- Tidy up (coming soon)
SSL certificates
The vCSA uses self-signed certificates be default, which are great for on-critical deployments, but lack the security and professionalism of a proper deployment. Unfortunately, a lot of companies that implement vSphere still don’t take the time to deploy their vCenter Appliances with SSL certificates signed by a Certificate Authority.
Where possible, proper SSL certificates should always be used. When users or administrators connect to the vSphere environment they need to know that the appliance is genuine and was provisioned by the appropriate team.
For this part, I assume you have a Certificate Authority in place and have setup a template that can be used for this purpose. If not, VMware have a great knowledgebase article which will help you create one. This can be found at Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 5.x (2062108).
The CA we use in the lab is a two-tiered one hosted on Windows Server 2008 R2. It uses an offline standalone root CA and a subordinate enterprise CA for issuing certificates. The Certificate Revocation List is stored on an external website which can be reached from both inside and outside the network.
Create the requests
Download the latest release of OpenSSL to your workstation (currently 1.0.2d) from the OpenSSL website and install it:
Click Next >
Click Next >
Click Next >
Click Next >
Click Next >
Click Install
Click Finish.
Open PowerShell:
powershell
Create the folders needed for the certificates:
$svc_array = @("vCenterSSO","InventoryService","LogBrowser","AutoDeploy")
ForEach ($svc in $svc_array){New-Item C:\Certs\$svc -type directory}
Create the following configuration file and save as C:\Certs\gen_conf.cfg:
[ req ] default_md = sha512 default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req input_password = VMware1! output_password = VMware1! [ v3_req ] basicConstraints = CA:false keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS:vcsa, IP: 192.168.146.205, DNS: vcsa.lab.mdb-lab.com [ req_distinguished_name ] countryName = UK stateOrProvinceName = London localityName = London 0.organizationName = virtualhobbit organizationalUnitName = commonName = vcsa.lab.mdb-lab.com
The above is a generic configuration that will need to be tailored for each service (SSO, Inventory, Log Browser and AutoDeploy).
Customize for each service:
$certdir = "C:\certs"
cd $certdir
ForEach ($svc in $svc_array){
$file = "$svc.cfg"
$fullpath = Join-Path $certdir $svc
$conf = Join-Path $fullpath $file
copy $certdir\gen_conf.cfg $conf
$content = (Get-Content $conf | %{$_ -replace "organizationalUnitName =","organizationalUnitName = $svc"})
Set-Content -Path $conf -Value $content
}
At this point we now have a configuration file for each service. Using this we will now create a corresponding Certificate Signing Request (CSR) with:
ForEach ($svc in $svc_array){
$workingdir = Join-Path $certdir $svc
C:\OpenSSL\bin\openssl req -new -nodes -out $workingdir\rui.csr -keyout $workingdir\rui.key -config $workingdir\$svc.cfg
}
The following assumes you have an online Certificate Authority and have configured a template named VMwareSSL for issuing VMware certificates (substitute accordingly).
Submit the request:
$issuingCA = "issuingca.mdb-lab.com\mdb-lab.com Issuing CA"
$template = "CertificateTemplate:VMwareSSL"
ForEach ($svc in $svc_array){
$reqfile = "rui.csr"
$crtfile = "rui.crt"
$workingdir = Join-Path $certdir $svc
cd $workingdir
certreq -submit -config $issuingCA -attrib $template $reqfile $crtfile
}
We now have a config, request, key and certificate for each service.
Remove the config and request files:
Get-ChildItem C:\Certs -include *.csr,*.cfg -Recurse | Remove-Item
Download the certificate chain from your CA:
$issuingCA = "issuingca.mdb-lab.com" $wc = New-Object System.Net.WebClient $wc.UseDefaultCredentials = $true $chain = "$certdir\certnew.p7b" $url = "https"+"://$issuingCA/certsrv/certnew.p7b?ReqID=CACert&Renewal=0&Enc=b64" $wc.DownloadFile($url,$chain)
Convert the chain to PEM format:
$pemchain = "$certdir\certnew.pem" C:\OpenSSL\bin\openssl pkcs7 -print_certs -in $chain -out $pemchain Remove-Item $chain
Remove unnecessary lines from PEM file:
$cachain = "$certdir\cachain.pem"
Get-Content $pemchain | Where { $_ -notmatch "subject" -and $_ -notmatch "issuer"} | Set-Content $cachain
(Get-Content $cachain) | ? {$_.trim() -ne "" } | Set-Content $cachain
Remove-Item $pemchain
Add each certificate to the PEM file:
ForEach ($svc in $svc_array){
$workingdir = Join-Path $certdir $svc
Get-Content $workingdir\rui.crt,$cachain | Set-Content $workingdir\chain.pem
}
SSH to to vCenter Server Appliance and enter the password you previously set:
ssh root@vcsa.lab.mdb-lab.com
Stop the Single Sign-On and vCenter services:
service vmware-stsd stop service vmware-vpxd stop
Create folders:
for i in vpxd inventoryservice logbrowser autodeploy; do mkdir -p ssl/$i; done
Using SCP or SFTP, upload the cachain file to the vCSA:
psftp root@vcsa.lab.mdb-lab.com put C:\Certs\cachain.pem /root/ssl
Upload the contents of C:\Certs\vCenterSSO to /root/ssl/vpxd:
lcd C:\Certs\vCenterSSO cd /root/ssl/vpxd mput *
Change back to the SSH console and replace the SSL certificate:
cd /root/ssl/vpxd /usr/sbin/vpxd_servicecfg certificate change chain.pem rui.key
Wait for the result. If it is 0 then the change was successful. If not, consult Decoding non-zero VC_CFG_RESULT for failed vpxd_servicecfg certificate changes (2057248).
cd /opt/vmware/etc/lighttpd/ mkdir BAK cp * BAK/
Copy the chain file from the previous steps:
cp /root/ssl/cachain.pem /opt/vmware/etc/lighttpd/ca.crt
Add the certificate to the config file:
echo "ssl.ca-file = "/opt/vmware/etc/lighttpd/ca.crt" ">> /opt/vmware/etc/lighttpd/lighttpd.conf
Start the Single Sign-On service:
service vmware-stsd start
Unregister the Inventory Service from Single Sign-On (modify server name accordingly):
cd /etc/vmware-sso/register-hooks.d ./02-inventoryservice --mode uninstall --ls-server https://vcsa.lab.mdb-lab.com:7444/lookupservice/sdk
Upload the contents of C:\Certs\InventoryService to /root/ssl/inventoryservice:
lcd C:\Certs\InventoryService cd /root/ssl/inventoryservice mput *
Change back to the SSH console and create .pfx file:
cd /root/ssl/inventoryservice openssl pkcs12 -export -out rui.pfx -in chain.pem -inkey rui.key -name rui -passout pass:testpassword
Copy the relevant files to the certificate directory:
cp rui.* /usr/lib/vmware-vpx/inventoryservice/ssl
Change permissions:
cd /usr/lib/vmware-vpx/inventoryservice/ssl/ chmod 400 rui.key rui.pfx chmod 644 rui.crt
Disable the shell history to prevent the plaintext password in the following command from appearing:
unset HISTFILE
Re-register the Inventory Service with Single Sign-On (substitute accordingly):
cd /etc/vmware-sso/register-hooks.d ./02-inventoryservice --mode install --ls-server https://vcsa.lab.mdb-lab.com:7444/lookupservice/sdk --user Administrator@vsphere.local --password VMware1!
Restart services:
service vmware-inventoryservice stop service vmware-vpxd stop service vmware-inventoryservice start service vmware-vpxd start
Unregister the Log Browser service from Single Sign-On:
cd /etc/vmware-sso/register-hooks.d ./09-vmware-logbrowser --mode uninstall --ls-server https://server.domain.com:7444/lookupservice/sdk
Upload the contents of C:\Certs\LogBrowser to /root/ssl/logbrowser:
lcd C:\Certs\LogBrowser cd /root/ssl/logbrowser mput *
Change back to the SSH console and create .pfx file:
cd /root/ssl/logbrowser openssl pkcs12 -export -in chain.pem -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx
Copy the relevant files to the certificate directory:
cp rui.* /usr/lib/vmware-logbrowser/conf
Change permissions:
cd /usr/lib/vmware-logbrowser/conf chmod 400 rui.key rui.pfx chmod 644 rui.crt
Re-register the Log Browser Service with Single Sign-On (substitute accordingly):
cd /etc/vmware-sso/register-hooks.d ./09-vmware-logbrowser --mode install --ls-server https://vcsa.lab.mdb-lab.com:7444/lookupservice/sdk --user Administrator@vsphere.local --password VMware1!
Restart services:
service vmware-logbrowser stop service vmware-logbrowser start
Upload the contents of C:\Certs\AutoDeploy to /root/ssl/autodeploy:
lcd C:\Certs\AutoDeploy cd /root/ssl/autodeploy mput rui.*
Change back to the SSH console and copy files:
cd /root/ssl/autodeploy cp /root/ssl/autodeploy/rui.crt /etc/vmware-rbd/ssl/waiter.crt cp /root/ssl/autodeploy/rui.key /etc/vmware-rbd/ssl/waiter.key
Change permissions and ownership:
cd /etc/vmware-rbd/ssl/ chmod 644 waiter.crt chmod 400 waiter.key chown deploy:deploy waiter.crt waiter.key
Re-register the AutoDeploy Service with Single Sign-On (substitute accordingly):
service vmware-rbd-watchdog stop if [ -f /var/vmware/vpxd/autodeploy_registered ]; then rm -f /var/vmware/vpxd/autodeploy_registered; fi service vmware-vpxd restart
Reboot the appliance:
reboot
The complete PowerCLI script to the above can be found at https://github.com/virtualhobbit/blog/blob/master/gen_certs.ps1.
Coming up
In this part we configured our vCenter Server Appliance to use SSL certificates signed by a Certificate Authority.
In part 8 we deploy and configure the vRealize Automation Appliance.
virtualhobbit 